Publication - Research publication

Cyber crime in Scotland: evidence review

Published: 23 Mar 2018
Directorate:
Justice Directorate
Part of:
Business, industry and innovation
ISBN:
9781788517096

A review of the evidence around the scale and nature of cyber crime affecting individuals and businesses in Scotland.

74 page PDF

888.0 kB

74 page PDF

888.0 kB

Contents
Cyber crime in Scotland: evidence review
3. Cyber-crime as it impacts on businesses

74 page PDF

888.0 kB

3. Cyber-crime as it impacts on businesses

This review now turns to consider the evidence relating to cyber-crime as it impacts on businesses. Following some contextual information, the evidence is presented and discussed in relation to fraud and computer misuse.

Main sources of evidence

The main evidence sources consulted are detailed below, including methodological details and known limitations. Such points should be borne in mind when considering the evidence from these sources.

Source

Details

Limitations

UK Cyber Security Breaches Survey

  • Random probability telephone survey of 1,523 UK businesses ( i.e. all businesses within scope, had equal chance of being selected to participate).
  • Includes a 10% Scottish sample.
  • Fieldwork carried out 24 Oct 2016-11 Jan 2017
  • Survey interviews with senior members of staff who have the most knowledge or responsibility for cyber security.
  • Data weighted to be representative of UK business population by size and included sectors.
  • Some analysis split by sector and business size: micro 2-9 employees, small 10-49, medium 50-249 and large 250 plus.
  • Businesses with no IT capacity or other online business presence were excluded from the survey. Although no figures on this are provided, it is noted that this applied to only a small minority of the original sample.
  • Second survey in this series, with the first covering 2016.
  • Excludes sole trader, public sector and forestry, fishing, mining and quarrying sectors.
  • Estimates of spending and costs associated with cyber security derived from self-reported figures.
  • Only includes breaches identified by businesses.
  • Unclear whether 10% Scottish sample is rep. of Scotland.
  • No regional analysis given.
  • Not all breaches would necessarily be recorded as crimes under the Home Office Counting Rules.
  • Some cyber breaches may be dealt with directly by an outsourced provider, in such instances respondents answering to the best for their knowledge.

Commercial Victimisation Survey ( CVS) 2016

  • Random probability sample of premises.
  • Telephone survey of 2,962 premises carried out Aug-Nov 2016.
  • Examines the extent of crimes against business premises in England and Wales.
  • With each sweep a selection of sectors included. 2016: retail (1,128 respondents), transportation and storage (904 respondents) and administration and support (930 respondents).
  • Half of respondents who use computers at their premises are asked about their experience of online crime. This includes:
    • Hacking
    • Theft of money
    • Theft of information
    • Phishing
    • Website vandalism
    • Viruses
    • Other online crimes
  • Data is weighted for the sectors surveyed.
  • No Scottish sample.
  • Including different sectors restricts time series data.
  • Not all incidents would necessarily be recorded as crimes under the Home Office Counting Rules.
  • Premises based so will not capture incidents occurring at another level e.g. head office.
  • Some crime types, including cyber, tend to affect a business as a whole, rather than affecting individual branches or premises. Thus the CVS is likely to underestimate the scale and prevalence of these crimes.
  • Crime counts are affected by the size of different industry sectors.
  • Only includes incidents identified by businesses.

British Retail Consortium ( BRC) Retail Crime Survey

  • 2016 survey sample covered 37% of the retail sector in the UK by turnover ( i.e. retailers survey accounted for 37% of sector turnover).
  • Sample covered 35% of staff, equivalent to 1.1 million employees.
  • Appears to be head office based but not 100% clear. .
  • Very limited details available on methodology. Not clear how businesses sampled, representativeness, how survey carried out etc.
  • Membership organisation
  • UK data only.
  • Only for retail sector.

Financial Fraud Action: Fraud, the facts 2017

  • Reports on data from FFA UK members.
  • Provides data on card fraud, cheque fraud and remote banking.
  • All fraud loss figures are reported as gross. These represent the value of fraud including any funds subsequently recovered by a bank.
  • Membership organisation
  • UK data only.
  • Not clear how data received from organisations is QA, certified etc.
  • Membership changes could impact on figures and therefore time series analysis not possible.

Cifas Fraudscape 2017

  • Reports on data from Cifas National Fraud Database members.
  • 277 members from across UK public and private sectors.
  • Membership organisation.
  • Not clear how data received from organisations is QA, certified etc.
  • Membership changes could impact on figures and therefore time series analysis not possible.

Cifas National Fraud Statistics

  • Reports on data from members across multiple databases.
  • Over 400 members in 2016.
  • Same as above.

KPMG Small Business and Reputation: The Cyber Risk

  • Online survey of 1,000 small businesses. Fieldwork carried out December 2015.
  • Respondents from 10 UK regions including Scotland.
  • Small businesses = up to 25 employees, includes sole traders.
  • Businesses from manufacturing, financial services, life sciences, retail and design/creative.
  • Senior decision makers interviewed in businesses.
  • Not apparent how businesses selected.
  • Findings only apply to those surveyed i.e. not representative.
  • Small sample size, only 18 businesses in Scotland.

Cyber Security Tracker 2017- Ipsos Public Affairs

  • UK panel survey which includes 1,160 SMEs.
  • Fieldwork carried out 7 Feb-6 Mar 2017.
  • For marketing purposes primarily.
  • Representativeness of sample unclear.
  • Subject to sampling error.
  • Data mostly for UK but some Scottish breakdowns provided.
  • Not apparent what constitutes a SME.

Scottish Business Resilience Centre ( SBRC)/Karen Renaud: Survey of small and medium enterprises ( SME) 2015/16

  • 74 Scottish businesses took part in postal survey and 36 participate in face-to-face or telephone interviews.
  • Not apparent how businesses selected, subject to sampling error.
  • Small sample size.
  • Not apparent what constitutes a SME.

Context

Internet use

As with the section on individuals, it is important to consider internet and cyber technology usage amongst businesses, in addition to their priorities and use of cyber security measures as a means of providing context to the subsequent findings.

In the absence of Scotland specific data, the 2017 Cyber Breaches Survey provides the most comprehensive and timely UK contextual data. That said, some business sectors (public sector organisations, forestry, fishing, mining and quarrying) and businesses with no IT capacity or other online business presence were excluded from survey. Therefore it is likely that the below figures are higher than we would expect for all businesses across the UK. Yet, the survey does note that only a small minority of the businesses sampled were excluded due to having no IT capacity. References herein to findings from this survey are only representative of included sectors.

At a UK level, the 2017 Cyber Security Breaches Survey reported:

  • Almost all (99%) of the UK businesses covered [100] use online services of some form. A large majority have a website (83%), online bank account (73%), electronically hold personal information about customers (61%) and over half (59%) have a social media page. The latter increased by 9 percentage points on the 2016 survey.
  • Over half (58%) of UK businesses consider online services a core part of their offering.
  • For 74% of UK businesses, cyber security is considered a high priority for senior management and 76% believe core staff take cyber security seriously. Fewer businesses now say it is a very low priority than in 2016.
  • The vast majority of UK businesses have cyber security measures in place including applying software updates (92%), malware protection (90%) and firewalls (89%).
  • The majority of UK businesses (67%) spent money on cyber security in 2017. By far the most common (unprompted) reason for investing is to protect customer data (51%), up 15 percentage points on 2016. Of note, businesses in Scotland are more likely to cite prevention of fraud or theft (28%, versus 17% overall) as one of their main reasons for investing.
  • As to be expected median spend rose in line with business size, with large firms investing £21,200 over the previous year compared to an overall median of £200. Average spend varies widely by sector.

Research challenges

Within the subsequent sections the review considers evidence which tries to estimate the financial costs of fraud and computer misuse to businesses. In an attempt to contextualise these figures, it is worth noting some of the challenges around deriving such estimates.

Many organisations collect data on the impact of cyber-crime on businesses, however as there is not consistency in how these data are collected across these organisations, it is not possible to present a robust overview of the impact of cyber-crime on business. Nevertheless, it is clear from the available evidence that cyber-crime is an issue for businesses.

The Costs of Cyber Crime Working Group, established by the Home Office in October 2014, conducted a number of research projects and a review of previous studies to better understand the challenges associated with developing cost estimates. The main issues encountered centred around the inconsistent use of definitions of both costs and cyber-crime, meaning most studies did not measure the same thing, limiting the scope for comparisons. [101] In addition to definitional differences, various studies attempted to measure very different types of cost, as well as different types of cyber-crime. Such challenges are reflected in the evidence included in this review.

Group 3 – Crimes of dishonesty

Summary of findings

  • In spite of the challenges highlighted above, it is clear from the available evidence that fraudulent acts are frequently experienced by businesses.
  • The 2017 Cyber Breaches Survey found that staff receiving fraudulent emails or being redirected to fraudulent websites was the most common type of cyber breach experienced by UK businesses covered by the survey.
  • The 2016 Retail Crime Survey revealed fraud to be the second most commonly experienced crime amongst respondents, accounting for 18% of incidents.
  • Available evidence suggests the costs of online fraudulent activities are smaller than costs associated with traditional crimes and amount to a minority of total online transactional values.
  • The 2016 Retail Crime Survey estimated that 53% of the total financial cost of fraud against UK retailers is cyber-enabled, representing a total direct cost to the industry of around £100 million. This translates to approx. 15% of the total direct cost of crime against retailers.
  • UK evidence from Financial Fraud Action shows in 2016, fraud losses as a proportion spent on UK issued cards stood at 8.3 pence per £100.
  • For 2016 Financial Fraud Action estimated value of transactions carried out online using fraudulently obtained cards accounted for 9.5 pence in every £100 spent with UK merchants.

Some of the evidence included below could also sit within the section on fraud affecting individuals. However such instances have been included due to the fact the evidence is reported by businesses themselves, rather than individuals. But this review acknowledges that some cross overs do exist.

Fraud as a whole

There are some sources which provide various indications of how fraud can affect businesses. While limitations with the evidence mean we cannot provide definitive conclusions, overall it appears as though fraudulent acts are a common issue and amongst the most frequently experienced crimes by businesses:

  • CIFAS [102] recorded 324,683 confirmed cases of fraud via their database of 277 members in 2016 [103] . It is not possible to look at time series data, due to the changes in membership.
  • CIFAS recorded 16,660 confirmed cases of fraud [104] in Scotland in 2016 via their databases of over 400 UK members. 'Misuse of facility' fraud was the most common - 5,827 cases [105] . As with the above, we are not able to look at trends over time due to membership changes.
  • Financial Fraud Action UK [106] found that 1.8 million accounts were defrauded via card fraud in 2016 at a value of £618 million [107] . Over 1.4 million of these were remote purchase card fraud [108] at a value of £432 million. The report notes that in the vast majority of such cases card details are obtained through unsolicited emails, phone calls or digital attacks such as malware and data hacks. Whilst the loss of £618 million appears sizeable, for 2016 the FFA estimates that fraud losses as a proportion spent on UK issued cards stood at 8.3 pence per £100. It is not possible to look at year-on-year comparisons due to changes in the organisation's membership.
  • The Retail Crime Survey found fraud [109] to be the second most frequently experienced crime by respondents (behind customer theft), accounting for 18% of incidents in 2016. The 2016 CVS found 7% of incidents carried out against retail premises were acts of fraud [110] . The variations between these two figures is likely attributable to key methodological differences ( e.g. coverage, level of measurement etc.) as noted in the source table.

Online fraud

The 2017 Cyber Security Breaches Survey found that 46% [111] of UK businesses identified at least one cyber security breach or attack in the previous 12 months. By far the most common type of cyber breach experienced was 'staff receiving fraudulent emails or being redirected to fraudulent websites', identified by 72% of businesses suffering a breach. [112] In addition, just over a quarter (27%) of businesses who encountered a breach, experienced 'others impersonating the organisation in emails or online'.

However it is not clear if the survey distinguishes between incidents where staff simply received such emails and those acted on e.g. they responded to emails or disclosed information. This could in part explain why the figure for fraudulent emails is considerably higher than the second most frequently experienced breach.

Analysing data from its UK members, Cifas reports that of the 173,000 cases of identity fraud in 2016, 88% were internet-enabled. [113] Although they provide little explanation as to what internet-enabled amounts to, they do point to the internet as a key contributing factor to the continuing increase of identity fraud amongst its members.

At a premises level, the 2016 CVS reveals experiences of phishing [114] varied according to sector. For premises in administration and support, there were 39 incidents per 1,000 premises in England and Wales, the fourth most common type of online crime [115] in this sector. However for transportation and storage, the figure stood at 2 incidents per 1,000 premises and no rate was recorded for the retail and wholesale sector. This perhaps reflects the high use of computers in the administration and support premises surveyed. [116]

FFA data shows that 14,673 phishing websites [117] were targeted against UK banks and building societies in 2016. The FFA also captures data on case volumes of online banking fraud, which occurs when a fraudster(s) gains access to and transfers funds from an individual's online bank account. Figures show there were 20,088 cases of online banking fraud in 2016.

Costs of online fraud

Based on data from their members the FFA estimates that online card fraud against UK retailers totalled £189.4 million in 2016. Unfortunately no further information on this is provided. Considering the cost of online fraud from a different perspective, the FFA reports on the value of transactions carried out online using fraudulently obtained cards (irrespective of where the card details were sourced). In this respect, the FFA estimates £308.8 million [118] worth of online/e-commerce fraud [119] took place on cards in 2016, accounting for 50% of all card fraud and 71% of remote purchase fraud. However this equates to only 9.5 pence in every £100 worth of sales for UK merchants being fraudulent. In addition the FFA estimated the value of online banking fraud losses in 2016 as £101.8 million.

The 2016 Retail Crime Survey asked retailers for the first time to estimate the percentage of the total cost of fraud levelled against them that was conducted online ('cyber-enabled fraud'). It was estimated that just over half (53%) of the total cost of fraud was cyber-enabled [120] , representing a total direct cost to the industry of around £100 million. Looking at the broader picture, this translates to approximately 15% of the total direct cost of crime against retailers. Although it is important to note that these figures are based on self-reported estimates.

Future evidence – Online fraud

The BRC Retail Crime Survey plans to conduct further work to refine the distinctions between cyber-enabled fraud and cyber-crime, in close collaboration with retailers, to ensure they are able to generate the most accurate picture of the cost of crime occurring online.

Recognising the limitations of CVS (namely that it is measured at a premises level) the Home Office began work with Ipsos MORI to explore the possibility of carrying out a survey of head offices. Following development work, a pilot survey was carried out from February to April 2017 in the Financial, and Wholesale and Retail sectors. The 2017 CVS which is due for release in Spring 2018 will include an update on how the head office survey is to progress.

Group 4- Fire-raising, vandalism etc.

Summary of findings

  • 'Computer misuse' is used to capture a number of crimes generally covered by the Computer Misuse Act 1990 and incorporates activities such as unauthorised access ( e.g. hacking) and attacks (computer viruses).
  • The UK-level 2017 Cyber Breaches Survey estimates that 46% of businesses identified at least one cyber breach or attack between 2016 and 2017. But this data is subject to caveats.
  • Incidence of such breaches increases with business size (number of employees) and turnover, in addition to varying by sector.
  • The attractiveness of personal customer data to criminals could be increasing the risks for companies holding such information. The 2017 Cyber Breaches Survey found that 51% of UK businesses holding personal customer data experienced a breach, compared to 37% who didn't hold this information.
  • Evidence from the UK 2017 Cyber Breaches survey show where businesses experience a breach, incidents of computer viruses, spyware and malware (33%) in addition to Ransomware (17%) are amongst the most common.
  • Evidence suggests that staff are viewed as pivotal in the prevention of cyber attacks but are also potentially a weak link in businesses' defences.
  • Very few businesses have systems in place to calculate the costs of cyber attacks and there is a lack of consistency in previous research which attempts to estimate costs.
  • The majority of businesses identifying a breach do not report them to external bodies and even less report them beyond their cyber security provider. The main reason is that incidents or the impact was not significant enough.

Computer misuse

As mentioned in the corresponding section on individuals, the term 'computer misuse' is used to capture a number of crimes generally covered by the Computer Misuse Act 1990 and incorporates activities such as unauthorised access ( e.g. hacking) and attacks (computer viruses). For statistical purposes such acts sit within recorded crime group 4.

Unlike crimes affecting individuals the main evidence source (Cyber Security Breaches Survey) frequently makes reference to 'cyber breaches or attacks' as a whole, rather than the specific activities involved. Such evidence is included here under the heading of computer misuse as the majority of the acts [121] constituting a 'cyber breach or attack' sit within this grouping.

Incidents of computer misuse

The majority of the evidence cited in this chapter comes from the 2017 Cyber Breaches Survey. Whilst it is a valuable UK source, it is important to bear in mind the limitations previously highlighted. Mainly that the survey excludes some sectors (public sector organisations, forestry, fishing, mining and quarrying) in addition to businesses with no IT capacity or other online business presence. Thus references herein to findings from the survey are only representative of the sectors included.

The 2017 Cyber Security Breaches Survey estimates that just under half (46%) of UK businesses identified at least one cyber security breach or attack in the last 12 months [122] .

  • This ranges from 38% of micro businesses to 68% of larger firms. In addition to rising with business size (number of employees), the incidence of cyber breaches increases with turnover too.
  • Breaches are more commonly identified in certain sectors such as information, communications or utilities (62%), administration or real estate (62%) and professional, scientific or technical services (60%) [123] .
  • UK businesses that hold personal customer data are more likely to have identified breaches (51%), than those that do not (37%). [124]

Of UK businesses identifying cyber security breach or attack in the last 12 months, [125] a third (33%) encountered 'computer viruses, spyware and malware', the second most common type of breach and 17% experienced Ransomware. The analysis makes the link between these sorts of incidents and human behaviour e.g. unwittingly clicking on a malicious link etc., highlighting the importance of staff awareness. What could be classed as more technical breaches e.g. hacking or attempted hacking of businesses' online bank accounts, and Distributed Denial of Service attacks are less common (9% and 8% respectively) [126] .

Considering specific sectors, the 2016 CVS found that when excluding 'other online crimes' [127] , the incidence rate for computer virus was the highest amongst online crimes for all sectors. This ranged from 155 incidents of computer viruses per 1,000 transportation and storage premises [128] to 78 per 1,000 retail and wholesale premises. Staying with retail, a third of respondents to the 2016 Retail Crime Survey noted their business had seen an increase in Denial of Service attacks over the previous year and a further 30% had experienced an increase in whaling incidents. [129]

Looking solely at cyber breaches amongst small and medium size businesses, the 2017 Cyber Security Tracker revealed that at a UK level 20% of such businesses had experienced a cyber breach in the previous 12 months [130] .

Victimisation of computer misuse

Returning to the Cyber Security Breaches Survey, for over a third (37%) of businesses experiencing a breach or attack in the last 12 months, it was a one-time occurrence whilst for 62% it was a more frequent occurrence. [131] Of note, 37% experienced them once a month or more. Large businesses are more likely to be victimised repeatedly, with only 18% experiencing a one-off breach in the last year and 80% subject to multiple breaches [132] .

Outcomes and impacts of computer misuse

The Cyber Security Breaches Survey found that 41% of businesses who identified a cyber breach in the previous 12 months noted that it resulted in a material outcome ( e.g. loss of assets), translating to 19% of all UK businesses. This could be skewed by the prevalence of fraudulent emails which are less likely to result in an outcome. For those businesses experiencing an outcome [133] , the most common was temporary loss of files or network access (23%), followed by corrupted or damaged software/systems (20%).

Looking beyond material outcomes, almost six in ten (57%) firms identified an impact, with 'new measures needed for future attacks' the most frequent (38%), followed by a loss of staff time (34%). The impacts experienced varied by business size with medium and large firms more likely than average to experience any impact (71%).

Almost nine in ten (89%) of UK small businesses who participated in the 2015 KPMG survey and had experienced a cyber breach [134] , felt that the incident impacted on their reputation. Thirty-one per cent noted brand damage, 30% loss of clients and 30% said it impacted on their ability to attract new employees.

In terms of reactions, the Cyber Security Breaches Survey found the most common action taken after a breach is to raise staff awareness via training or communications (28%) rising to 33% amongst firms where breaches resulted in an outcome. Suggesting staff are viewed as pivotal in preventing such breaches and also potentially as a weak link, which resonates with the earlier discussion around the role of human behaviour.

More than half (57%) of businesses noted that it took no time at all to restore business operations after they identified a breach [135] . For a further quarter (23%), this took less than a day, meaning that overall 81% were able to get back to normal in less than a day. Findings from the KPMG small business survey are generally similar. Here it took on average 26 hours for respondents to resolve a breach.

Costs of computer misuse

Attempting to monitor and measure the financial costs of a cyber breach is complex and this may explain why the 2017 Cyber Security Breaches Survey found only 6% of businesses had such systems in place. Consequently, the survey estimated (based on self-reporting) the median cost of breaches identified in the last 12 months, taking account of all impacts. Considering breaches with an outcome [136] , the median cost to businesses was £300, rising to £8,230 for large firms. The mean overall cost is markedly higher, highlighting that a minority of businesses experience substantial financial consequences from breaches.

Although only focused on retailers, the BRC 2016 Retail Crime Survey estimated that cyber-crime (defined as crime committed through the use of ICT) represents 5% of the total direct cost of crime to UK retail businesses. This amounts to an estimated direct financial loss to the industry of £36 million per annum. These figures do not include instances of cyber-enabled fraud, as such costs were calculated separately and are discussed in the previous chapter. Thus the vast majority these costs likely stem from incidents under the remit of computer misuse.

Reporting of computer misuse

Analysis from the 2017 Cyber Security Breaches Survey reveals that whilst 92% of businesses flagged breaches to directors and senior management, external reporting is limited. Less than half (43%) of firms [137] reported their most disruptive breach (in the last 12 months) outside their organisation. However this falls to 26% when only considering those who reported a breach to an external body other than their cyber security provider. Looking at this in more detail, the most common (unprompted) place to report a breach was a bank, building society or credit card company (28%) [138] , followed by the police (19%). Among those who did not report breaches externally [139] , over half (58%) attributed this to not considering the breach or its impact to be significant enough, followed by not knowing who to report it to (16%). Suggesting more guidance is needed on why and where businesses should report cyber breaches.

Future evidence on computer misuse

The next release of the Cyber Security Breaches Survey is due in Spring 2018. Whilst the survey is reviewed annually as part of its development, where questions remain unchanged time series data will be available.

The Costs of Cyber-Crime Working Group commissioned a project to devise a costs of cyber-crime framework. [140] Based closely on previous Home Office work, the framework breaks associated costs into three categories:

1. Costs in anticipation- normally defensive and preventative measures taken by businesses e.g. training, technology costs etc.
2. Costs as a consequence- costs that occur as an immediate result of a crime e.g. business disruption, reputation damage, equipment/infrastructure damage. Businesses tend to have little or no control over these costs.
3. Costs in a response- costs that occur as a result of a decision regarding what to do in response to a specific crime. These mostly concern the criminal justice system but incorporates costs incurred through increased IT spending which occurs as a direct result of an incident, change of security provider etc. Businesses are likely to have greater control over these costs.

The costs of cyber-crime framework is intended to enable researchers to identify what the various different component costs of cyber-crime are, and how these combine to form the overall cost of cyber-crime, in addition to costs resulting from specific cyber-crimes e.g. fraud and computer misuse.

It is hoped that the framework will enable greater understanding of research gaps and encourage further, consistent research which can be pulled together to arrive at a more robust and accurate understanding of the cost of cyber-crime and specific crime types. Here, the framework has been discussed in relation to businesses, but it could also be applied to individuals and government entities.


Contact